Protecting the Unprotected – Missing Updates and Patches
Protecting the Unprotected – Missing Updates and Patches
As a security professional, you already know that TCP/IP networks were not designed with security as the primary goal is. At some point in time, cyberattackers will penetrate your network perimeter. Once inside, they have free and virtually unrestricted movement. They can search and enumerate the network, and then almost as quickly, determine the vulnerabilities that are available to exploit. Most of the time when the network is completely enumerated, the attackers have a large list of vulnerabilities to choose from.
At the heart of their targets of opportunity is the fact that most updates and patches are not applied promptly. When a new exploit is announced or made public, a cyberattack team can have a targeted phishing email campaign out within 24 hours to try and exploit it. Yet, even the best IT and security operations teams take days to weeks to get new updates installed. The larger the enterprise, in fact, the longer the internal processes to get an update installed. We all know that unpatched software is the number one source of exploits for cyberattackers. It is a common hypothesis that successful targeted cyberattackers would have been prevented if updates and patches had been installed within 24 hours of release. In contrast, it is also unlikely that critical updates and patches will be installed quick enough to prevent cyberattackers from exploiting known vulnerabilities.
Perhaps the biggest reason for all of this delay installing patches and updates is that there are just too many. There is an endless queue both for operating systems and software application that seem to need attention several times per week. Not only does installation get delayed, but often installation and update never happens at all.
Beyond the issues created by sheer volume, many experienced IT teams know that patches and updates can bring a production system down. They have learned that this is just a fact of life. So they need to schedule time to test it, install it in a test environment, and carefully ensure that it won’t cause their day-to-day production systems to fail. In some environments, such as manufacturing, you really don’t have an equivalent test environment that will emulate your entire production process control environment. The truth is that you are flying partially blind until you install. Once you do install, you need to be ready to back it out, as possible, with light speed if problems arise.
There are also minor issues associated with saving labor. Savvy IT old timers know that many major patches are not “quite right” just yet. If they can only wait a week, someone else will deal with the instability and cause the release to be updated with patches that are more stable.
In the final analysis, most of your servers and endpoints will never be updated in a timely way. Recognizing the problem is the first step towards a solution. The next right step is to consider the Zero Trust upgrades to your environment. A Zero Trust strategy works just about everywhere and can benefit every industry. New Zero Trust technologies, like moving target cyber defense and micro-segmentation, can help you build out the ecosystem which places a complete blanket of protection over your network and IT assets, even when upgrades and patches are missing.
As a security professional, you already know that TCP/IP networks were not designed with security as the primary goal is. At some point in time, cyberattackers will penetrate your network perimeter. Once inside, they have free and virtually unrestricted movement. They can search and enumerate the network, and then almost as quickly, determine the vulnerabilities that are available to exploit. Most of the time when the network is completely enumerated, the attackers have a large list of vulnerabilities to choose from.
At the heart of their targets of opportunity is the fact that most updates and patches are not applied promptly. When a new exploit is announced or made public, a cyberattack team can have a targeted phishing email campaign out within 24 hours to try and exploit it. Yet, even the best IT and security operations teams take days to weeks to get new updates installed. The larger the enterprise, in fact, the longer the internal processes to get an update installed. We all know that unpatched software is the number one source of exploits for cyberattackers. It is a common hypothesis that successful targeted cyberattackers would have been prevented if updates and patches had been installed within 24 hours of release. In contrast, it is also unlikely that critical updates and patches will be installed quick enough to prevent cyberattackers from exploiting known vulnerabilities.
Perhaps the biggest reason for all of this delay installing patches and updates is that there are just too many. There is an endless queue both for operating systems and software application that seem to need attention several times per week. Not only does installation get delayed, but often installation and update never happens at all.
Beyond the issues created by sheer volume, many experienced IT teams know that patches and updates can bring a production system down. They have learned that this is just a fact of life. So they need to schedule time to test it, install it in a test environment, and carefully ensure that it won’t cause their day-to-day production systems to fail. In some environments, such as manufacturing, you really don’t have an equivalent test environment that will emulate your entire production process control environment. The truth is that you are flying partially blind until you install. Once you do install, you need to be ready to back it out, as possible, with light speed if problems arise.
There are also minor issues associated with saving labor. Savvy IT old timers know that many major patches are not “quite right” just yet. If they can only wait a week, someone else will deal with the instability and cause the release to be updated with patches that are more stable.
In the final analysis, most of your servers and endpoints will never be updated in a timely way. Recognizing the problem is the first step towards a solution. The next right step is to consider the Zero Trust upgrades to your environment. A Zero Trust strategy works just about everywhere and can benefit every industry. New Zero Trust technologies, like moving target cyber defense and micro-segmentation, can help you build out the ecosystem which places a complete blanket of protection over your network and IT assets, even when upgrades and patches are missing.